14 DAY TRIAL // The latest security update for OpenSSL cryptographic library includes a fix for a vulnerability that permits a threat actor to weaken the encryption mechanism that secures communication between two parties.
In May, it was disclosed that an attacker in the position to intercept traffic (man-in-the-middle) could weaken the encryption provided by the TLS (Transport Layer Security) secure communication protocol to a level that it can be broken.
The flaw, tracked as CVE-2015-4000, was dubbed Logjam by researchers and touches on weak variants of the Diffie-Hellman cryptographic key exchange mechanism used for securing communication by numerous web and mail servers.
It consists in downgrading the connection to export-grade cryptography (512-bit), which is considered insecure given modern hardware power today. Export-grade encryption was imposed in the SSL protocol through a policy in 1990 that required implementing weak ciphers for products exported outside the US.
A similar vulnerability, baptized FREAK (Factoring RSA Export Keys) by researchers, was uncovered in March. However, it did not touch on Diffie-Hellman key exchange but on the encrypted connection offered by SSL/TLS.
Fix rejects handshakes for keys weaker than 768-bits
According to a security advisory, OpenSSL versions 1.2.2b and 1.0.1n integrate a fix created by Emilia Käsper and Kurt Roeckx from the library’s development team.
The patch prevents TLS clients from accepting handshakes with Diffie-Hellman parameters that are lower than 768 bits. Developers plan to increase this lower limit to 1024 in a future release of OpenSSL.
Users are urged to move to the new releases without delay, as the new OpenSSL includes other security improvements of moderate and low severity.
One of them relates to the way the library processes an ECParameters structure and could lead to denial-of-service (DoS) purposes on systems that process public keys, certificate requests or certificates, including TLS clients and servers that have authentication enabled.
Another one leading to a DoS condition refers to an out-of-bounds read in the X509_cmp_time function, which can be exploited to terminate applications that check digital certificates or CRLs (certificate revocation lists).